Computer Viruses - A Protagonist's Point Of View
-----===] CORRUPTED PROGRAMMING INTERNATIONAL [===-----
== CPI Newsletter #1 ==
[ Article Written By Doctor Dissector ]
Released : June 27, 1989
Call The CPI Headquarters
619-566-7093
1200/2400 Baud :: Open 24 Hours
[1.1] Introduction:
-------------------
Welcome to "Computer Viruses - A Protagonist's Point Of View." This
letter, perhaps the beginning of a small newsletter. Well, this "letter,"
is written by one person right now, maybe I'll get some people to send in
more info, ideas, and examples to CPI. If you would like to contribute,
please upload text files to CPI Headquarters (see heading for number) and
leave a note to me telling me you are contributing to our magazine.
Well, as an overview, this article will cover a few topics dealing
with viruses; however, there will be no examples covered as we are short of
programmers at the moment. That reminds me, if you would like to become a
member of CPI, fill out the accompanying text file and upload it to CPI HQ
as an upload to the Sysop, then leave me and the Sysop some mail to tell us
you registered to become a member. We will get back to you as soon as
possible.
The purpose of this magazine is to expand and broaden the general
computer user's view and knowledge of the dreadful computer Virus, as well
as a bit on Trojans (not the hardware, the SOFTWARE!). Then, after the
knowledge of these computer crackers is better understood, the second
purpose of this newsletter is to teach both methods of developing and
executing a better virus/trojan. We, VRI, feel viruses and trojans are a
vital part of the computer world, and should stand along the trades of
hacking, phreaking, cracking, pirating, and pyro as an equal, not something
to be looked down upon (unless you are hit by one...).
In the future, we hope CPI will grow and spread, just like a virus,
and encompass a large domain of the crackers, hackers, and other elite out
there so that the life of this group will be maintained, and that this
newsletter, hopefully, won't be the only issue to be released during the
group's existence.
Doctor Dissector
CPICV Editor/ANE Author
Table Of Contents-
Phile Subject Author
----- ---------------------------------------------------------
1.1 Introduction & Table Of Contents.........Doctor Dissector
1.2 Viruses- What, Where, Why, How...........Doctor Dissector
1.3 Aspects Of Some Known Viruses............Doctor Dissector
1.4 Ideas For Future Viruses.................Doctor Dissector
1.5 Suggested Reading........................Doctor Dissector
1.6 Conclusion...............................Doctor Dissector
1.7 CPI Application..........................Doctor Dissector
Downloaded From P-80 International Information Systems 304-744-2253
----------------------------------------------------------------------
[1.2] Viruses- What, Where, Why, How
If you are a beginner in this field, you may be curious to what
a virus/trojan is. Perhaps you heard about it through some BBS, or
known someone who had their system crashed by one. Well, this is for
you.
In the Trojan War, way back when, there existed the Trojan
Horse, right? Well, nowadays, there is a modern version of the Trojan
Horse existing is software. The modern, computer, Trojan horse is
really simple, a psychedelic hacker implants destructive code into a
normal (or fake) file. This modified/fake file, when executed will
destroy or remove something from the host computer, usually format
the hard drive, delete all files, or something similar. In order to
distribute the corrupt phile, the hacker goes and does one or more of
various things; depending on how deranged this individual is (hehe).
These things are covered in the following section.
A virus, in normal terms is an organism which spreads malign
from one host to another, transmitting itself through biological
lines so that both the previous host and the future host become
infected with the virus. Today, there are computer viruses, and just
like biological viruses, they spread from file to file, host to host,
infecting everything it "sees." These computer viruses can either
destroy the code it infects immediately, or over a period of time,
corrupt or damage the host system it thrives upon. For example, a
virus hidden in a file on a BBS could be downloaded to a host system.
Then, the user who downloaded it executes the file, which executes
normally (as seen by the operator), but at the same time, the virus
attacks other files, and infects them, so that each file owned by the
user becomes infected with the virus. Then, at a given time or when
something is fulfilled by the host system, the virus becomes a trojan
and destroys, encrypts, or damages everything available, infected or
un-infected. In general, a virus is a timed trojan that duplicates
itself to other files, which, in effect sustains the virus's life-
span in the computer world, as more host systems are infiltrated by
the disease.
Now that I've given you a description of the computer virus and
trojan, we can go onto more complex things... well, not really...
Ok, now, let's trace the life of a virus. A virus/trojan is born
in the mind of some hacker/programmer that decides to develop
something out of the ordinary, not all viruses/trojans are
destructive, often, some are amusing! Anyway, the hacker programs the
code in his/her favorite language; viruses can be developed with
virtually any language, BASIC, Pascal, C, Assembly, Machine Code,
Batch files, and many more. Then, when the disease is complete and
tested, the hacker intentionally infects or implants the code into a
host file, a file that would be executed by another un-suspecting
user, somewhere out there. Then, the hacker does one or more of many
things to distribute his baby. The hacker can upload the infected
file to a local BBS (or many local/LD BBS's), give the infected file
to a computer enemy, upload the infected file to his/her workplace
(if desired...hehe), or execute the phile on spot, on the host
system. Then, the virus, gets downloaded or executed, it infiltrates
the host system, and either infects other files, or trashes the
system instantly. Eventually, the infected system's user gets smart
and either trashes his system manually and starts fresh, or some mega-
technical user attempts to recover and remove the virus from all of
the infected files (a horrendous job). Then, the virus dies, or other
host systems that were previously infected continue, and accidentally
upload or hand out infected files, spreading the disease. Isn't that
neat?
Now, to answer your questions; I already explained what a
virus/trojan is and how they are developed/destroyed. Now, where do
these suckers come from? Why, some hacker's computer room, of course!
All viruses and trojans begin at some computer where some maniacal
hacker programs the code and implants it somewhere. Then, you ask,
why do they do this? Why hack? Why phreak? Why make stupid pyro piles
of shit? Think about it... This is an ART! Just like the rest. While
Hacking delivers theft of services, Phreaking delivers theft of
services, Cracking/Pirating delivers theft of software and copyright
law breaks, Pyro delivers unlawful arson/explosives, Viruses and
Trojans vandalize (yes, legally it is vandalism and destruction of
property) computer systems and files. Also, these are great to get
back at arch-computer enemies (for you computer nerds out there), and
just wreak havoc among your computer community. Yeah, PHUN at it's
best...
----------------------------------------------------------------------
Downloaded From P-80 International Information Systems 304-744-2253
----------------------------------------------------------------------
[1.3] Aspects Of Some Known Viruses
Many viruses have been written before and probably after you
read this article. A few names include the Israeli, Lehigh, Pakistani
Brain, Alameda, dBase, and Screen. Keep in mind that most viruses
ONLY infect COM and EXE files, and use the Operating System to spread
their disease. Also, many viruses execute their own code before the
host file begins execution, so after the virus completes passive
execution (without "going off") the program will load and execute
normally.
Israeli - This one is a TSR virus that, once executed, stayed in
memory and infected both COM and EXE files, affecting both HARD and
FLOPPY disks. Once executed, the virus finds a place to stay in the
system's memory and upon each execution of a COM or EXE file, copies
itself onto the host phile. This one is very clever, before infecting
the file, it preserves the attributes and date/time stamp on the
file, modifies the files attributes (removes READ only status so it
can write on it), and then restores all previous values to the file.
This virus takes very little space, and increases the host file size
by approximately 1800 bytes. The trigger of this virus is the date
Friday the 13th. This trigger will cause the virus to either trash
the disk/s or delete the files as you execute them, depending on the
version. Whoever wrote this sure did a nice job....
Lehigh - This one infects the COMMAND.COM file, which is always
run before bootup, so the system is ready for attack at EVERY bootup.
It hides itself via TSR type and when any disk access is made, the
TSR checks the COMMAND.COM to see if it is infected. Then if it
isn't, it infects it, and adds a point to its counter. When the
counter reaches 4, the virus causes the disk to crash. This one,
however, can be stopped by making your COMMAND.COM Read-Only, and the
date/time stamp is not preserved, so if the date/time stamp is
recent, one could be infected with this virus. This virus is
transferred via infected floppy disks as well as a clean disk in an
infected system. It can not infect other hosts via modem, unless the
COMMAND.COM is the file being transferred.
Pakistani Brain - This one infects the boot sector of a floppy
disk. When booting off of the disk, the virus becomes a TSR program,
and then marks an unused portion of the disk as "bad sectors." The
bad sectors, cannot be accessed by DOS. However, a disk directory of
an infected disk will show the volume label to be @ BRAIN. A CHKDSK
will find a few bad sectors. When you do a directory of a clean disk
on an infected system, the disk will become infected. The virus has
no trigger and immediately begins to mark sectors bad even though
they are good. Eventually, you will have nothing left except a bunch
of bad sectors and no disk space. The virus itself has the ASCII
written into it with the words "Welcome the the Dungeon" as well the
names of the supposed authors of the virus, and address, telephone
number, and a few other lame messages. To inoculate your system
against this virus, just type 1234 at byte offset location 4 on the
boot track (floppy disks).
Alameda - This virus also infects the boot sector of the host
system. It is very small and inhabits ONE sector. This one only
damages floppy disks. If you boot from a diseased disk, the virus
loads itself into HIGH memory and during a warm boot, it remains in
memory and infects any other clean disks being booted from on the
infected system. It then replaces the boot track with the virus track
and replaces the boot track on the last track of the disk, so any
data located on the last track is corrupted. All floppy disks
inserted during reboot can catch this virus. This virus only infects
IBM PC's and XT's, however, it does not infect 286's or 386's.
dBase - This one is a TSR virus that works in a manner similar
to the Israeli virus. It looks for files with a DBF extension, then
it replicates itself in all DBF files, preserving file size, and all
attributes. After the first 90 days, the virus destroys your file
allocation table and corrupts all data in the DBF files. This virus
creates a hidden file, BUG.DAT that indicates the bytes transposed
(in order to preserve file specifications). Run a CHKDSK to make sure
you don't have any extra hidden files or a BUG.DAT in your dBase
directory. If you create a BUG.DAT file manually in your directory,
making it read-only, you will be safe from this virus.
Screen - This one is another TSR virus that comes on and off
periodically. When it is on, it examines the screen memory and looks
for any 4 digits starting at a random place on the screen. Then it
transposes two of them, this is not a good thing. It infects every
COM file in your directory, HARD and FLOPPY disks can be infected.
You can use a ASCII searcher to check if you are infected by
searching for "InFeCt" in your COM files. If you have this written,
read the 4 bytes immediately preceding it and overwrite the first 4
bytes of the program with their value. Then, truncate the program at
their stored address. You will rid yourself of this virus. Make sure
you use a clean copy of you editor for this.
Other viruses include MAC, AMIGA, and many other environments.
By the way, other computer systems other than IBM/DOS may become part
of CPI if you qualify.
Anyway, these are a few viruses I have read on and thus passed
the information to you, I hope you can learn from them and get some
ideas for some.
Downloaded From P-80 International Information Systems 304-744-2253
----------------------------------------------------------------------
[1.4] Ideas For Future Viruses
Since I have covered viruses already in existence, lets talk
about viruses that can or may exist in the near future. These are not
even close to half the ideas possible for destruction with
trojans/viruses available, but will pose as a challenge to you who
are short of ideas.
CSR Virus - A CMOS Stay Resident VIRUS that will implant itself
in the CMOS memory of the AT (286/386/486?) which will execute upon
every bootup. This one would be VERY nice.
Failsafe Virus - Preserves ALL attributes, Preserves file size,
remains TSR but hidden to TSR location programs, Modifies attributes
to get around Read-Only files, Infects ALL files (Not only COM and
EXE), encrypts all data on trigger (irreversible) but preserves
original file size/attributes.
Format Virus - A virus which is TSR and when a DOS format or any
other FORMAT type of call is called, will FORMAT every other track,
but will not allow DOS to notice.
Write Virus - A virus that intercepts write to disk, which
deletes the disk write, and marks sector as bad at write point.
ASCII Virus - Virus that would scramble ASCII text in any file
at trigger.
Low Level Format Virus - Virus that low level formats (BAD
format) HD in background with data still intact. I have seen regular
background LLF programs, and it keeps data in place, but it does it
correctly... hmmm...?
Hide Virus - A Virus that hides files slowly.
Crash Virus - Virus that emulates typical system crashes/freezes
occasionally. Causes BIOS to freeze and write BIOS ERROR messages on
screen.
Modem Virus - One that remains in boot sector and TSR and
monitors data from serial ports, puts in "artificial" line-noise.
NICE!
These are just a few I thought up... these could be really
good... Think of some more and call CPI HQ TODAY!
Downloaded From P-80 International Information Systems 304-744-2253
----------------------------------------------------------------------
[1.5] Suggested Reading
The following list is a compiled listing of some material I have
read as well as other sources you MIGHT find information on
concerning viruses and trojan horses. Happy trashing....
"Know Thy Viral Enemy" by Ross M. Greenberg
BYTE Magazine
June 1989, pg 275-280
"Viruses: Assembly, Pascal, BASIC & Batch" by Tesla Coil ][
Phreakers And Hackers Underground Network Newsletter (PHUN)
Issue #3, Volume 2, Phile #2
"Computer Viruses: A High Tech Disease" by Abacus
2600 Magazine
Volume 5, Number 2
Downloaded From P-80 International Information Systems 304-744-2253
----------------------------------------------------------------------
[1.6] Conclusion
Thus ends the first issue of CPI's "Computer Viruses: A
Protagonist's Point Of View." We hope you enjoyed it and we hope it
was informative and complete (at least about the specific issues).
We, VRI, hope that you will share your information and comments
with us at VRI Headquarters, as this newsletter will require both
information and an expansion of our current member base. If you feel
you have what it takes to gather, read, or program for VRI, send us
an application today.
Oh yeah, if this happens to be the only issue of VRICV, oh well,
and many thanx to those who read it at least once, and enjoyed it (or
laughed at it). Until our (my?) next issue, have phun and don't get
toooo wild......
=====[ CPI Headquarters * 619-566-7093 * 1200/2400bps * 24Hrs ]=====
Downloaded From P-80 International Information Systems 304-744-2253
[1.7] CPI Application
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
>> CORRUPTED PROGRAMMING INTERNANATIONAL<<
>> MEMBERSHIP APPLICATION <<
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
NOTE: The following information is of a totally confidential nature. We must
question you in depth and thouroughly so that our knowledge and idea
of you will be quite complete. Remember, it is the fate of our voting
members who will decide upon your membership, as the result of your
response to this questionairre. Please answer the following completely
and to the best of your ability.
PERSONAL INFORMATION:
-----------------------------------------------------------------------------
Alias(es) You HAVE Used :
Alias(es) You Currently Use :
Your REAL FULL NAME :
Your Voice Phone Number :(###)###-####
Your Data Phone Number :(###)###-####
Your City & State :
Your Age :
Occupation/Grade :
Place Of Employment :
Work Phone Number :
Your Interests And Hobbies :
Is Your Job IN ANY WAY Related To ANY Governmental/Law Enforcement Agency?
If So, In What Way? (Such as FBI, Sheriff, Police)
:
:
COMPUTER INFORMATION/EXPERIENCE
-----------------------------------------------------------------------------
Computer Experience (time) :
Modeming Experience (time) :
BBS's You Frequent (Name/#) :
Elite References :
Computers You Have Used :
Computer You Are Using :
Computer You Prefer :
Languages You Have Tried :
Languages You Know Well :
Your Best Language :
Have You Ever Phreaked :
Do You Phreak Alot :
Have You Ever Hacked :
Do You Hack Alot :
Have You Ever Cracked :
Do You Crack Alot :
Ever Made A Virus/Trojan :
Major Accomplishments :
MISC INFORMATION
-----------------------------------------------------------------------------
Answer In 4 Lines Or Less:
What do you think Corrupted Programming International is?
:
:
:
:
When did you first hear about CPI?
:
:
:
:
Why do you want to be a member of CPI?
:
:
:
:
Do you know any of the members of CPI? Can you name a few?
:
:
:
:
Have you considered the distribuition of viruses/trojans as a "crime"? Why
or why not? (Morally speaking?)
:
:
:
:
Have you written any text files? (On any underground type of subject?)
:
:
:
:
Are you a member of any other group(s)? Can you name them and their HQ BBS?
:
:
:
:
Can you contribute to CPI? How?
:(Do you have access to info concerning virus/trojans)
:(Exceptional programmer?)
:(Got connections?)
:(Anything extraordinary?)
-----------------------------------------------------------------------------
.Answer Each Question To The Best And Fullest Of Your Ability.
-----------------------------------------------------------------------------
Upload ALL Applications To The CPI Headquarters BBS
*(619) 566-7093 * 1200/2400 * 24 Hrs*
Future CPI Support BBS's Will Be Active - Applications May Be Turned In Then
Downloaded From P-80 International Information Systems 304-744-2253